P3P Future Work Items 4.b: SemanticIssues
Purpose
P3P assumes "Accuracy" between all policies related to given data
collection, including: Natural Language Policy (which is itself a
requirement of P3P), a Full XML policy and a Compact Policy (if used). To
accommodate a data collector's need to describe their practices, P3P has a
base data schema and the ability to extend that schema to accommodate
particular collector practices where those practices cannot be accurately
described within the existing schema. The difficulty with Compact Policies,
CPs, is that they allow for only a subset of the functionality of the Full
Policy with no ability to extend or accurately group practices. The result
of which is an in ability for a data collector to be truly accurate with the
limited syntax. This then implies that to be accurate in a CP the data
collector MUST overstate.
Currently the CP allows a collector to make statements from among the
following predefined groups: <PURPOSE>s-12, <RECIPIENT>s-6, data
<CATEGORIES>-16, <ACCESS>-6, <RETENTION>-5, <DISPUTES>-1, <REMEDIES>-3.
This effectively limits a CP implementer to the requirement of accurately
representing his/her NLP by choosing from ~49 predefined tokens (the UA
rendering of which the collector will have no control - but from which they
will be liable).
This lack of nuance forces a data collector who e.g. associates a cookie
with a proclivity to examine cold remedies with a category that also
includes "mental health" and "sexual orientation". It is extremely possible
that such statements may be illegal within the effected jurisdiction or
specifically against the NLP expressed practices of the data collector.
Scope:
Possible areas of exploration could include:
1. If accuracy and consistency across NLP<->XML<->CP is core to
P3P but unachievable by the CP do we scrap the accuracy requirement or the
CP? Is there a better balance to be found? Or a better language construct
than accurate.
2. Examine what exactly we are trying to achieve with the CPs?
Do we allow it to be a performance optimisation only as an imperfect
placeholder until a Full policy can be discovered?
3. Consider adding a token which denotes the "up to and
including" nature of the statements made by a CP or should this be better
explained within the spec with more delineated requirements for UAs.
4. Consider adding more tokens to allow some degree more
nuance.
5. *It should be noted that a number of these issues overlap
Question 1. Vocabulary Issues
Resources:
The size of this issue requires the resources of a full working group.
Time Frame:
To me this problem is fundamentally the question of trading off between the
accuracy requirement in the spec (which are likely to be upheld by
enforcement agencies) and the performance increases of the Compact Policy.
Brooks Dobbs
Director of Privacy Technology
DoubleClick, Inc.
office: 404.836.0525
fax: 404.836.0521
email: bdobbs@doubleclick.net